What New RIAs Need to Consider with Electronic Communications
Listen to the article.
In today's digital age, electronic communications play a crucial role in business operations. As you embark on this exciting journey, it's important to remember the electronic communications records obligations that come with being a registered investment advisor (RIA). With electronic communications serving as the primary medium for collaboration and engagement, RIAs must take extra care to meet recordkeeping and supervisory obligations set forth by the SEC.
In our recent webinar, Considerations for New RIAs: Electronic Communications Best Practices webinar, our regulatory experts discussed:
- Key regulations for RIAs
- How to get started with electronic recordkeeping and supervision obligations
- Best practices to consider when implementing your policies and procedures.
Below is a summary of the critical points from our discussion.
Rules of the road
The two main categories when it comes to electronic recordkeeping are books and records and supervision. The Adviser Act Rule 204-2 is the main books and records rule for RIAs. The rule outlines specific requirements for the storage, retention, and accessibility of electronic records, such as ensuring that records are tamper-proof, stored in a format that cannot be altered, and that they are available for immediate retrieval in a readable format. This storage requirement is sometimes referred to as WORM compliance, which stands for write once, read many. Meaning the data is locked down to ensure you have a complete and accurate record of all your business communications.
The second category is supervision, which is also known as the Compliance Rule. These requirements state you must supervise all your business communications, whether it's email or chat to ensure compliance.
For a slightly more modern take on electronic communications, the OCIE Risk Alert for Observations from Investment Advisers Examinations Relating to Electronic Messaging provides additional guidance around electronic communications practices for business communications and how RIAs could comply with the Books and Records Rules and the implementations of policies and procedures required by the Compliance Rule.
Defining a business record
Take an inventory of how you communicate internally, externally, and particularly with clients. This goes well beyond email into collaborations tools, social media, text messaging, and other messaging applications. Define what would be considered a business record under regulations. Consider how you will retain, review, and supervise those communications over the long haul.
Develop robust policies and procedures
Regulators are increasingly looking for customized, thoughtful business decisions in policies and procedures, so it's crucial to make sure that you're rightsizing your supervision and gaining crucial insights into your business as you're going through your review. RIAs should not only include what communications channels are permitted for business communications but include what is prohibited and how they'll supervise off-channel business communications.
Documentation of your supervision review is also crucial to electronic recordkeeping. Additionally, think through how you'll handle violations and ensure that policies and procedures reflect this. Once your policies and procedures are defined, think about customizing lexicons and reviews for different types of business communications you're engaged with. For example, consider using contextual phrases instead of single-word lexicons to identify risk and set up red flags for off-channel communications. This helps ensure that your business communications are supervised effectively.
Features within those permitted channels are changing rapidly. Another best practice we're seeing is maintaining ongoing evaluation within those permitted channels. Is there a new whiteboard that's popped up in your communication channel? Is there a new feature that you must figure out? Can I monitor this? Can I turn it off if I'm going to prohibit it?
When it comes to regulatory obligations, it's important to know whether you're covered or exposed and what communication channels need to be archived to be compliant. It's also crucial to capture everything and let people know if some channels — or features within channels — are off-limits. If some channels cannot be archived, it's best to find out early in the process. There may be prerequisites, such as licenses or requirements from InfoSec teams, that need to be considered before choosing a compliance vendor.
Historical data should also be considered, mainly the cost-benefit analysis and what needs to be archived. Firms should also identify who is required to be archived and who needs to be archived in addition to them.
Define your goals and outcomes
Defining goals and outcomes is an important best practice when it comes to electronic communication for RIAs. Defining your goals helps you set measurable objectives, track progress and make needed adjustments along the way.
To get started, figure out why you need to archive electronic communications. Beyond regulatory requirements, there are other reasons, such as storing data longer for internal processes and policies. By defining the archiving goals, you can ensure that you're meeting compliance obligations and making the most of your investment in archiving solutions.
Once you have identified your goals, it's important to communicate them to your compliance archiver to ensure they are on board and delivering exactly what you need. This can help avoid miscommunications that could lead to non-compliance. It's also essential to ensure that your business partners understand the outcomes that you need, so they can help you achieve success.
A well-designed supervision program should incorporate a centralized platform for efficient message alerting, documentation, reporting, and other compliance-related tasks, ensuring seamless accessibility and tracking in the event of an audit or regulatory request.
Firms are recommended to engage in periodic checks and balances for when the SEC visits, but also on an ongoing basis. This includes monthly, quarterly, or other regular assessments to determine whether you are meeting your targets and adhering to the requirements of your WSPs.
You should also review each user or channel to determine if you're under-reviewing or over-reviewing any area. It's essential to regularly evaluate policy and lexicon performance, as policies tend to drift over time. This review should include an assessment of your highest hit rate policies. It's vital to consider whether changes to communication channels have occurred over the last year — such as WhatsApp's rapid growth in the industry — and whether you have adjusted your policies accordingly.
Managing electronic recordkeeping requires compliance with various regulations and best practices. By defining what a business record is, developing custom policies and procedures, and documenting your compliance, you can help ensure that your electronic business communications are being recorded and supervised effectively. These rules and best practices can help you demonstrate compliance with these regulations and better prepare for audits and regulatory requests.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.